Cellular Telephone Security

Cellular Telephone Security



Tuesday, November 27, 2001



Matthew Manger

Marjorie Quant

Matthew Wiedemer

Outline



 Encryption

 Cellular Process

 Transmission Methods

 Manufacturer Vulnerabilities



 Hacking

=

Cellular Phone Encryption



 Hardware and Software in the cellular phone

 Swapping or modifying EPROM

 Physically change the EPROM

 Decompile/compile software of EPROM



 Modifying and bypassing ESN/MIN

 Usually located on the EPROM

 http://www.totse.com/en/phreak/cellular_phones/csecr

et.html

The Process



 Power on - transmits ESN/MIN on the “reverse” channel - cellular site verifies MIN - site

transmits via the “forward” channel of positive validation - line is open





Are ESN/MIN

VALID??

Yes - VALID





 Vulnerabilities

 Cloning or altering the ESN transmission process

 Well published hardware attacks to this vulnerability and less well published software

techniques

 Attention is generally focused on the hardware attacks - fairly inexpensive and not too

difficult to pull off

Cloning a Phone



 Alter the ESN/MIN codes on the EPROM

 Alter software of EPROM

 Have code jump to a different address

 Programmable by a handset

 Use the cell phone to scan and capture ESNs

to be stored in the EPROM

 De-compile/compile the code on an EPROM

Cellular Phone

Transmission Methods

 Digital

 Time Division Multiple Access (TDMA)

 Code Division Multiple Access (CDMA)

 Analog

 Frequency Division Multiple Access (FDMA)

 Global System for Mobilization (GSM)

 Established in 1982 to standardize European

mobile communication systems

http://www.iec.org – Time Division Multiple Access (TDMA)

CDMA - Authentication,

Secrecy & Identification



 Process

 CDMA , Cellular

Mobile Communications,

Network and Security



CDMA Cellular Mobile Communications: Network and Security,



Man Young Rhee, Prentice-Hall PTR, Upper Saddle River, NJ, 1998

Vulnerabilities



 Manufactures researched

 Nokia  Ericsson

 Motorola  Panasonic

 Causes of vulnerabilities

 Design/Implantation flaws

 Manufacturer (Nokia, Motorola)

 Human impatience and ignorance

Vulnerabilities cont…



 Number Assignment Module (NAM) programming

 Primary phone identifiers

 ESN – Electronic Serial Number (Hardware)

 MIN – Mobile Identification Number (Software)

 Other identifiers

 SCM – Station Class Mark (Software)

 SIDH – System Identification for Home System (Software)

 Design exploits (wiretapping)

 Pin output

 Serial cable tutorials

Phone Identifiers



 Easy Step

 Access the programming menu

 http://www.hackcanada.com/ice3/cellular/index.html

 gsm_underground@yahoogroups.com



 Change MIN (phone number)

 Change SIDH (city identifier)

 Call service provider

 http://www.totse.com/en/phreak/cellular_phones/cellp

mod.html

Phone Identifiers cont…



 Harder Step

 Obtain the ESN number of the phone you want

to clone

 Look under the battery

 Access the programming menu



 Identify EPROM chip in your cell phone

 Flash EPROM chip with new information

Hacking Techniques



 Systems perspective

 Many different points of attack

 What is your goal?

 Illegal free cell phone use

for you and your friends

 Denial of service

 Listen in

System Vulnerabilities



 People

 Insiders – ask your buddy to “hook you up”

 Computer networks

 Hack into provider database

 HDML/WML servers, etc.

 Wireless networks

 Base stations, MTSO, local office

 Physical security

 Check out hotels, office buildings, base stations, etc.

 Cell phone handsets

 Biggest threat…

Handset Hacking



 Most convenient, easy, widespread

 Basic reconnaissance

 FCC ID check for manuals, diagrams, etc.

 Gather technical info from service provider, retailer, phone

manufacturer: brochures, web sites, etc.

 Hacker web search (http://mobile.box.sk/ ,

http://www.hackcanada.com/ , etc.)

 A little more in depth

 Open it up – check out chip types, numbers; EPROM!

 Access “secret” menus – more recon

 Social engineering (tech support)

 Start over again with more in-depth searches on Google

More Cell Phone Hacking



 Hardware modifications

 Flash EPROM – need EPROM

flashing hardware

 More modern phones can have

SmartMedia, flash cards, etc.

 Change identifiers, phone numbers, modify system

software

 Software modifications

 Change settings under “secret” menus

 All are handset-dependent!

Kyocera (Qualcomm)

QCP-2035 Example

 Take out battery – see FCC ID, ESN

 FCC ID search (http://www.fcc.gov/oet/fccid/)

basically unsuccessful

 Hacker web sites

 http://www.hackcanada.com/ice3/cellular/

yields “111111” code for secret menu

 Menu includes many options:

“040793”=debug code, “??????”=programming code for SprintPCS

“000000”=programming code for Verison

 Programming menu: change phone number, home area, country code,

message encoding/size, many other settings not normally available…

 Known DoS: set your phone # to someone

else in same area – calls go unanswered

 More info on http://www.cdma.f2s.com/

Kyocera (Qualcomm)

QCP-2035 Example Cont.

 SprintPCS uses Wireless Web

 Access to HDML, WDM pages – have to have some

connection to www…

 IP address under menu is 208.18.146.75:1905 or

208.18.146.139:1905 – found to be

wapproxy1.upl.sprintpcs.com and

wapproxy2.upl.sprintpcs.com

 Potential DoS for Wireless Web, launching point for

entry into SprintPCS computer network…

 Still going…

Conclusion





Wireless Technology is

convenient, yet SCARY!

This pertains to both wireless

communication and computing!!

Questions